Our favorite 5 hacking items

1. Tips/Video of the week

These are advanced Burp hacks by James Kettle of PortSwigger Web Security. His day job is to design vulnerability detection techniques for Burp Suite, so when he shares tips on how to maximize your Burp ROI, he knows his stuff!

The talk is addressed to bug hunters, but the tips also apply to pentesters. I’ve been using Burp pro for years and wasn’t aware of many of these hacks.

2. Tutorial of the week

This is a great introduction to subdomain takeovers for bug hunters: what they are, the difference with second-order subdomain takeovers, the methodology and tools to detect them, multiple exploitation scenarios, etc.

Vuln 1: When Nuxeo is used with Tomcat, it is possible to bypass authentication by requesting /nuxeo/login.jsp;/..;/[unauthorized_area] (Equivalent of /nuxeo/[unauthorized_area]). But you get a 500 error

Vuln 2: It is possible to access unauthorized Seam servlets by using http://host/whatever.xhtml?actionMethod=/foo.xhtml:user.username (where user.username is the Expression Language (EL) you wan to execute)

Vuln 3: By chaining two ELs, it is possible to execute an arbitrary EL (the second one) if you can control the value returned by the first one

Vuln 4: It is possible to bypass Seam’s EL blacklist by changing "".getClass().forName("java.lang.Runtime") to ""["class"].forName("java.lang.Runtime")

By combining these 4 vulnerabilities, it is possible to inject shellcode (in JBoss EL) and get an RCE

It’s been a while since conference videos pertaining to pentest/bug bounty/red team were released. So it was refreshing to watch some of these talks (instead of just reading slides). Some are very technical and advanced, and others are not technical but are still informative. So there should something for everyone here.